DOCSLIB.ORG

Interactive Proof System We Have Seen Interactive Proofs, in Various Disguised Forms, in the Definitions of NP, OTM, Cook Reduction and PH

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Interactive Proof System We Have Seen Interactive Proofs, in Various Disguised Forms, in the Definitions of NP, OTM, Cook Reduction and PH Interactive Proof System We have seen interactive proofs, in various disguised forms, in the definitions of NP, OTM, Cook reduction and PH. We will see that interactive proofs have fundamental connections to cryptography and approximate algorithms. Computational Complexity, by Fu Yuxi Interactive Proof System 1 / 120 It was not until 1985 that the idea of computation through interaction was formally studied by two groups. 1. L. Babai, with a complexity theoretical motivation; 2. S. Goldwasser, S. Micali and C. Rackoff, with a cryptographic motivation. Computational Complexity, by Fu Yuxi Interactive Proof System 2 / 120 An interactive proof system consists of a Prover and a Verifier. 1. Prover’s goal is to convince Verifier of the validity of an assertion through dialogue. 2. Verifier’s objective is to accept/reject the assertion based on the information it gathers from the dialogue. Prover’s answers are adaptive. Adaptivity is the difference between a prover and an oracle. Computational Complexity, by Fu Yuxi Interactive Proof System 3 / 120 Synopsis 1. Introduction 2. Interactive Proof with Private Coins 3. Interactive Proof with Public Coins 4. Set Lower Bound Protocol 5. IP = PSPACE 6. Public Coins versus Private Coins 7. MIP = NEXP 8. Interactive Proof for Multilinear Function 9. IP vs MIP 10. Programme Checking Computational Complexity, by Fu Yuxi Interactive Proof System 4 / 120 Introduction Computational Complexity, by Fu Yuxi Interactive Proof System 5 / 120 Basic Principle A verifier’s job must be easy (polynomial time on input length), otherwise there is no need for any dialogue. A prover can be as powerful as it takes, as long as the answers it produces are short (polynomial size on input length). A verifier is not supposed to ask too many questions. Its best bet is ask random questions. A prover is supposed to provide an answer no matter what. Computational Complexity, by Fu Yuxi Interactive Proof System 6 / 120 Deterministic Verifier A k-round interaction of f and g on input x 2 f0; 1g∗, denoted by hf; gi(x), is the ∗ sequence a1;:::; ak 2 f0; 1g defined as follows: a1 = f(x); a2 = g(x; a1); . a2i+1 = f(x; a1;:::; a2i); for 2i < k a2i+2 = g(x; a1;:::; a2i+1); for 2i + 1 < k . The output of f at the end, noted outfhf; gi(x), is f(x; a1;:::; ak) 2 f0; 1g. f; g : f0; 1g∗ ! f0; 1g∗ are TM’s, and k(n) is a polynomial. Computational Complexity, by Fu Yuxi Interactive Proof System 7 / 120 Deterministic Proof System We say that a language L has a k-round deterministic proof system if there is a TM V that on input x; a1;:::; ak runs in poly(jxj) time, and can have a k(jxj)-round interaction with any TM P such that the following statements are valid: ∗ ∗ Completeness: x 2 L ) 9P : f0; 1g ! f0; 1g :outV(V; P) = 1; ∗ ∗ Soundness: x 2= L ) 8P : f0; 1g ! f0; 1g :outV(V; P) = 0: dIP contains languages with a polynomial round deterministic interactive proof system. Computational Complexity, by Fu Yuxi Interactive Proof System 8 / 120 Deterministic Proof Systems Define NP Fact. dIP = NP. Every NP language has a one-round deterministic proof system. Conversely suppose L 2 dIP. There is a P-time TM V such that ∗ ∗ x 2 L iff 9P : f0; 1g ! f0; 1g :outV(V; P) = 1 iff 9a1; a2;:::; ak:V(x) = a1 ^ V(x; a1; a2) = a3 ^ ::: ^ V(x; a1;:::; ak) = 1: The verification time is polynomial. In a deterministic proof system an almighty prover can predict the questions the verifier asks by running the verifier’s TM, and therefore can provide all answers at onego. Computational Complexity, by Fu Yuxi Interactive Proof System 9 / 120 Interaction + Randomness We shall only be interested in verifiers who ask clever questions. “…in the context of interactive proof systems, asking random questions is as powerful as asking clever questions.” Goldreich Computational Complexity, by Fu Yuxi Interactive Proof System 10 / 120 B has one red sock and one green sock. How can he convince A, who is color blind, that the socks are of different color? Computational Complexity, by Fu Yuxi Interactive Proof System 11 / 120 Interactive Proof with Private Coins Computational Complexity, by Fu Yuxi Interactive Proof System 12 / 120 S. Goldwasser, S. Micali, C. Rackoff. The Knowledge Complexity of Interactive Proofs. 1985. Computational Complexity, by Fu Yuxi Interactive Proof System 13 / 120 Private Coins Model The verifier generates an l-bits r by tossing coins: l r 2R f0; 1g : The verifier of course knows r: a1 = f(x; r); a3 = f(x; r; a1; a2);:::: The prover cannot see r: a2 = g(x; a1); a4 = g(x; a1; a2; a3);:::: Both the interaction hf; gi(x) and the output outfhf; gi(x) are random variables over l r 2R f0; 1g . Computational Complexity, by Fu Yuxi Interactive Proof System 14 / 120 IP, Interactive Proofs with Private Coins Suppose k is a polynomial. A language L is in IP[k(n)] if there’s a P-time PTM V that can have a k(jxj)-round interaction with any TM P and renders valid the following. Completeness. ∗ ∗ x 2 L ) 9P : f0; 1g ! f0; 1g :Pr[outV(V; P) = 1] ≥ 2=3: Soundness. ∗ ∗ x 2= L ) 8P : f0; 1g ! f0; 1g :Pr[outV(V; P) = 1] ≤ 1=3: S c The class IP is defined by c≥1 IP[cn ]. Computational Complexity, by Fu Yuxi Interactive Proof System 15 / 120 BPP Verifier, PSPACE Prover 1. A verifier is a BPP machine. 2. We may assume that a prover is a PSPACE machine. I There is an optimal prover. I A single PSPACE prover suffices for all x 2 L. An almighty prover knows Verifier’s algorithm. I Prover enumerates all answers a2; a4;:::, and uses Verifier’s algorithm to calculate the percentage of the random strings that make verifier to accept. Computational Complexity, by Fu Yuxi Interactive Proof System 16 / 120 IP, Interactive Proofs with Private Coins L 2 IP , there is an interactive proof system of a verifier V 2 BPP and a prover P 2 PSPACE that interact for a polynomial round and renders valid the following. Completeness. x 2 L ) Pr[outV(V; P) = 1] ≥ 2=3: Soundness. x 2= L ) Pr[outV(V; P) = 1] ≤ 1=3: Computational Complexity, by Fu Yuxi Interactive Proof System 17 / 120 IP ⊆ PSPACE Proposition. IP ⊆ PSPACE. Both a PSPACE machine and a BPP machine can be simulated in polynomial space. Computational Complexity, by Fu Yuxi Interactive Proof System 18 / 120 Robustness of IP Fact. IP remains unchanged if we replace the completeness parameter 2=3 by 1 − 2−ns and soundness parameter 1=3 by 2−ns . Proof. Repeat the protocol O(ns) times. Majority rule. Chernoff bound. Since there is an optimal prover, it doesn’t matter if a protocol is repeated sequentially or in parallel. Computational Complexity, by Fu Yuxi Interactive Proof System 19 / 120 Robustness of IP Fact. Allowing prover to use a private coin does not change IP. By average principle we can construct a deterministic prover from a probabilistic prover that is as good as the latter. Computational Complexity, by Fu Yuxi Interactive Proof System 20 / 120 Perfect Completeness An interactive proof system has perfect completeness if its completeness parameter is 1. An interactive proof system has perfect soundness if its soundness parameter is 0. Computational Complexity, by Fu Yuxi Interactive Proof System 21 / 120 Perfect Soundness is Too Strong 1. IP with Perfect Completeness = IP. 2. IP with Perfect Soundness = NP. 1. IP ⊆ PSPACE. A problem in IP is Karp reducible to TQBF. TQBF has an interactive proof system with perfect completeness (using the Sumcheck protocol). 2. If x 2 L, there exists a ‘yes’ certificate. If x 2= L, the verifier always says ‘no’. Computational Complexity, by Fu Yuxi Interactive Proof System 22 / 120 Graph Non-Isomorphism Let GI be the Graph Isomorphism problem; it is not known to be in P. Let GNI = GI, it is not known to be in NP. The nodes of a graph are represented by the numbers 1; 2;:::; n. The isomorphism of G0 to G1 is indicated by π(G0) = G1, where π is a permutation of the nodes of G0. Computational Complexity, by Fu Yuxi Interactive Proof System 23 / 120 Graph Non-Isomorphism Protocol Protocol: Graph Non-Isomorphism V: Pick i 2R f0; 1g. Generate a random permutation graph H of Gi. Send H to P. P: Identify which of G0; G1 was used to produce H and send the index j 2 f0; 1g to V. V: Accept if i = j; reject otherwise. Computational Complexity, by Fu Yuxi Interactive Proof System 24 / 120 Graph Non-Isomorphism Theorem. GNI 2 IP. Proof. If G0 ' G1, the prover’s guess is as good as anyone’s guess. If G0 6' G1, the prover can force the verifier to accept. 1. O. Goldreich, S. Micali, A. Wigderson. Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design. FOCS 1986. Computational Complexity, by Fu Yuxi Interactive Proof System 25 / 120 Quadratic Non-Residuosity A number a is a quadratic residue modulo p if there is some number b such that a ≡ b2 (mod p). I QR = f(a; p) j p is prime and 9b:a ≡ b2 (mod p)g is in NP. Let QNR = QR. The problem QNR is not known to be in NP. Computational Complexity, by Fu Yuxi Interactive Proof System 26 / 120 Quadratic Non-Residuosity Protocol Input. 1. An odd prime number p and a number a.
Load more

Recommended publications
  • Database Theory
    DATABASE THEORY Lecture 4: Complexity of FO Query Answering Markus Krotzsch¨ TU Dresden, 21 April 2016 Overview 1. Introduction | Relational data model 2. First-order queries 3. Complexity of query answering 4. Complexity of FO query answering 5. Conjunctive queries 6. Tree-like conjunctive queries 7. Query optimisation 8. Conjunctive Query Optimisation / First-Order Expressiveness 9. First-Order Expressiveness / Introduction to Datalog 10. Expressive Power and Complexity of Datalog 11. Optimisation and Evaluation of Datalog 12. Evaluation of Datalog (2) 13. Graph Databases and Path Queries 14. Outlook: database theory in practice See course homepage [) link] for more information and materials Markus Krötzsch, 21 April 2016 Database Theory slide 2 of 41 How to Measure Query Answering Complexity Query answering as decision problem { consider Boolean queries Various notions of complexity: • Combined complexity (complexity w.r.t. size of query and database instance) • Data complexity (worst case complexity for any fixed query) • Query complexity (worst case complexity for any fixed database instance) Various common complexity classes: L ⊆ NL ⊆ P ⊆ NP ⊆ PSpace ⊆ ExpTime Markus Krötzsch, 21 April 2016 Database Theory slide 3 of 41 An Algorithm for Evaluating FO Queries function Eval(', I) 01 switch (') f I 02 case p(c1, ::: , cn): return hc1, ::: , cni 2 p 03 case : : return :Eval( , I) 04 case 1 ^ 2 : return Eval( 1, I) ^ Eval( 2, I) 05 case 9x. : 06 for c 2 ∆I f 07 if Eval( [x 7! c], I) then return true 08 g 09 return false 10 g Markus Krötzsch, 21 April 2016 Database Theory slide 4 of 41 FO Algorithm Worst-Case Runtime Let m be the size of ', and let n = jIj (total table sizes) • How many recursive calls of Eval are there? { one per subexpression: at most m • Maximum depth of recursion? { bounded by total number of calls: at most m • Maximum number of iterations of for loop? { j∆Ij ≤ n per recursion level { at most nm iterations I • Checking hc1, ::: , cni 2 p can be done in linear time w.r.t.
    [Show full text]
  • CS601 DTIME and DSPACE Lecture 5 Time and Space Functions: T, S
    CS601 DTIME and DSPACE Lecture 5 Time and Space functions: t, s : N → N+ Definition 5.1 A set A ⊆ U is in DTIME[t(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M) ≡ w ∈ U M(w)=1 , and 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps. Definition 5.2 A set A ⊆ U is in DSPACE[s(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M), and 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells. (Input tape is “read-only” and not counted as space used.) Example: PALINDROMES ∈ DTIME[n], DSPACE[n]. In fact, PALINDROMES ∈ DSPACE[log n]. [Exercise] 1 CS601 F(DTIME) and F(DSPACE) Lecture 5 Definition 5.3 f : U → U is in F (DTIME[t(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. Definition 5.4 f : U → U is in F (DSPACE[s(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. (Input tape is “read-only”; Output tape is “write-only”.
    [Show full text]
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • Complexity Theory Lecture 9 Co-NP Co-NP-Complete
    Complexity Theory 1 Complexity Theory 2 co-NP Complexity Theory Lecture 9 As co-NP is the collection of complements of languages in NP, and P is closed under complementation, co-NP can also be characterised as the collection of languages of the form: ′ L = x y y <p( x ) R (x, y) { |∀ | | | | → } Anuj Dawar University of Cambridge Computer Laboratory NP – the collection of languages with succinct certificates of Easter Term 2010 membership. co-NP – the collection of languages with succinct certificates of http://www.cl.cam.ac.uk/teaching/0910/Complexity/ disqualification. Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 3 Complexity Theory 4 NP co-NP co-NP-complete P VAL – the collection of Boolean expressions that are valid is co-NP-complete. Any language L that is the complement of an NP-complete language is co-NP-complete. Any of the situations is consistent with our present state of ¯ knowledge: Any reduction of a language L1 to L2 is also a reduction of L1–the complement of L1–to L¯2–the complement of L2. P = NP = co-NP • There is an easy reduction from the complement of SAT to VAL, P = NP co-NP = NP = co-NP • ∩ namely the map that takes an expression to its negation. P = NP co-NP = NP = co-NP • ∩ VAL P P = NP = co-NP ∈ ⇒ P = NP co-NP = NP = co-NP • ∩ VAL NP NP = co-NP ∈ ⇒ Anuj Dawar May 14, 2010 Anuj Dawar May 14, 2010 Complexity Theory 5 Complexity Theory 6 Prime Numbers Primality Consider the decision problem PRIME: Another way of putting this is that Composite is in NP.
    [Show full text]
  • If Np Languages Are Hard on the Worst-Case, Then It Is Easy to Find Their Hard Instances
    IF NP LANGUAGES ARE HARD ON THE WORST-CASE, THEN IT IS EASY TO FIND THEIR HARD INSTANCES Dan Gutfreund, Ronen Shaltiel, and Amnon Ta-Shma Abstract. We prove that if NP 6⊆ BPP, i.e., if SAT is worst-case hard, then for every probabilistic polynomial-time algorithm trying to decide SAT, there exists some polynomially samplable distribution that is hard for it. That is, the algorithm often errs on inputs from this distribution. This is the ¯rst worst-case to average-case reduction for NP of any kind. We stress however, that this does not mean that there exists one ¯xed samplable distribution that is hard for all probabilistic polynomial-time algorithms, which is a pre-requisite assumption needed for one-way func- tions and cryptography (even if not a su±cient assumption). Neverthe- less, we do show that there is a ¯xed distribution on instances of NP- complete languages, that is samplable in quasi-polynomial time and is hard for all probabilistic polynomial-time algorithms (unless NP is easy in the worst case). Our results are based on the following lemma that may be of independent interest: Given the description of an e±cient (probabilistic) algorithm that fails to solve SAT in the worst case, we can e±ciently generate at most three Boolean formulae (of increasing lengths) such that the algorithm errs on at least one of them. Keywords. Average-case complexity, Worst-case to average-case re- ductions, Foundations of cryptography, Pseudo classes Subject classi¯cation. 68Q10 (Modes of computation (nondetermin- istic, parallel, interactive, probabilistic, etc.) 68Q15 Complexity classes (hierarchies, relations among complexity classes, etc.) 68Q17 Compu- tational di±culty of problems (lower bounds, completeness, di±culty of approximation, etc.) 94A60 Cryptography 2 Gutfreund, Shaltiel & Ta-Shma 1.
    [Show full text]
  • On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs*
    On the Randomness Complexity of Interactive Proofs and Statistical Zero-Knowledge Proofs* Benny Applebaum† Eyal Golombek* Abstract We study the randomness complexity of interactive proofs and zero-knowledge proofs. In particular, we ask whether it is possible to reduce the randomness complexity, R, of the verifier to be comparable with the number of bits, CV , that the verifier sends during the interaction. We show that such randomness sparsification is possible in several settings. Specifically, unconditional sparsification can be obtained in the non-uniform setting (where the verifier is modelled as a circuit), and in the uniform setting where the parties have access to a (reusable) common-random-string (CRS). We further show that constant-round uniform protocols can be sparsified without a CRS under a plausible worst-case complexity-theoretic assumption that was used previously in the context of derandomization. All the above sparsification results preserve statistical-zero knowledge provided that this property holds against a cheating verifier. We further show that randomness sparsification can be applied to honest-verifier statistical zero-knowledge (HVSZK) proofs at the expense of increasing the communica- tion from the prover by R−F bits, or, in the case of honest-verifier perfect zero-knowledge (HVPZK) by slowing down the simulation by a factor of 2R−F . Here F is a new measure of accessible bit complexity of an HVZK proof system that ranges from 0 to R, where a maximal grade of R is achieved when zero- knowledge holds against a “semi-malicious” verifier that maliciously selects its random tape and then plays honestly.
    [Show full text]
  • Computational Complexity and Intractability: an Introduction to the Theory of NP Chapter 9 2 Objectives
    1 Computational Complexity and Intractability: An Introduction to the Theory of NP Chapter 9 2 Objectives . Classify problems as tractable or intractable . Define decision problems . Define the class P . Define nondeterministic algorithms . Define the class NP . Define polynomial transformations . Define the class of NP-Complete 3 Input Size and Time Complexity . Time complexity of algorithms: . Polynomial time (efficient) vs. Exponential time (inefficient) f(n) n = 10 30 50 n 0.00001 sec 0.00003 sec 0.00005 sec n5 0.1 sec 24.3 sec 5.2 mins 2n 0.001 sec 17.9 mins 35.7 yrs 4 “Hard” and “Easy” Problems . “Easy” problems can be solved by polynomial time algorithms . Searching problem, sorting, Dijkstra’s algorithm, matrix multiplication, all pairs shortest path . “Hard” problems cannot be solved by polynomial time algorithms . 0/1 knapsack, traveling salesman . Sometimes the dividing line between “easy” and “hard” problems is a fine one. For example, . Find the shortest path in a graph from X to Y (easy) . Find the longest path (with no cycles) in a graph from X to Y (hard) 5 “Hard” and “Easy” Problems . Motivation: is it possible to efficiently solve “hard” problems? Efficiently solve means polynomial time solutions. Some problems have been proved that no efficient algorithms for them. For example, print all permutation of a number n. However, many problems we cannot prove there exists no efficient algorithms, and at the same time, we cannot find one either. 6 Traveling Salesperson Problem . No algorithm has ever been developed with a Worst-case time complexity better than exponential .
    [Show full text]
  • NP-Completeness Part I
    NP-Completeness Part I Outline for Today ● Recap from Last Time ● Welcome back from break! Let's make sure we're all on the same page here. ● Polynomial-Time Reducibility ● Connecting problems together. ● NP-Completeness ● What are the hardest problems in NP? ● The Cook-Levin Theorem ● A concrete NP-complete problem. Recap from Last Time The Limits of Computability EQTM EQTM co-RE R RE LD LD ADD HALT ATM HALT ATM 0*1* The Limits of Efficient Computation P NP R P and NP Refresher ● The class P consists of all problems solvable in deterministic polynomial time. ● The class NP consists of all problems solvable in nondeterministic polynomial time. ● Equivalently, NP consists of all problems for which there is a deterministic, polynomial-time verifier for the problem. Reducibility Maximum Matching ● Given an undirected graph G, a matching in G is a set of edges such that no two edges share an endpoint. ● A maximum matching is a matching with the largest number of edges. AA maximummaximum matching.matching. Maximum Matching ● Jack Edmonds' paper “Paths, Trees, and Flowers” gives a polynomial-time algorithm for finding maximum matchings. ● (This is the same Edmonds as in “Cobham- Edmonds Thesis.) ● Using this fact, what other problems can we solve? Domino Tiling Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling Solving Domino Tiling The Setup ● To determine whether you can place at least k dominoes on a crossword grid, do the following: ● Convert the grid into a graph: each empty cell is a node, and any two adjacent empty cells have an edge between them.
    [Show full text]
  • Lecture 9 1 Interactive Proof Systems/Protocols
    CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction The traditional mathematical notion of a proof is a simple passive protocol in which a prover P outputs a complete proof to a verifier V who decides on its validity. The interaction in this traditional sense is minimal and one-way, prover → verifier. The observation has been made that allowing the verifier to interact with the prover can have advantages, for example proving the assertion faster or proving more expressive languages. This extension allows for the idea of interactive proof systems (protocols). The general framework of the interactive proof system (protocol) involves a prover P with an exponential amount of time (computationally unbounded) and a verifier V with a polyno- mial amount of time. Both P and V exchange multiple messages (challenges and responses), usually dependent upon outcomes of fair coin tosses which they may or may not share. It is easy to see that since V is a poly-time machine (PPT), only a polynomial number of messages may be exchanged between the two. P ’s objective is to convince (prove to) the verifier the truth of an assertion, e.g., claimed knowledge of a proof that x ∈ L. V either accepts or rejects the interaction with the P . 1.2 Definition of Interactive Proof Systems An interactive proof system for a language L is a protocol PV for communication between a computationally unbounded (exponential time) machine P and a probabilistic poly-time (PPT) machine V such that the protocol satisfies the properties of completeness and sound- ness.
    [Show full text]
  • Interactive Proofs 1 1 Pspace ⊆ IP
    CS294: Probabilistically Checkable and Interactive Proofs January 24, 2017 Interactive Proofs 1 Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Mariel Supina 1 Pspace ⊆ IP The first proof that Pspace ⊆ IP is due to Shamir, and a simplified proof was given by Shen. These notes discuss the simplified version in [She92], though most of the ideas are the same as those in [Sha92]. Notes by Katz also served as a reference [Kat11]. Theorem 1 ([Sha92]) Pspace ⊆ IP. To show the inclusion of Pspace in IP, we need to begin with a Pspace-complete language. 1.1 True Quantified Boolean Formulas (tqbf) Definition 2 A quantified boolean formula (QBF) is an expression of the form 8x19x28x3 ::: 9xnφ(x1; : : : ; xn); (1) where φ is a boolean formula on n variables. Note that since each variable in a QBF is quantified, a QBF is either true or false. Definition 3 tqbf is the language of all boolean formulas φ such that if φ is a formula on n variables, then the corresponding QBF (1) is true. Fact 4 tqbf is Pspace-complete (see section 2 for a proof). Hence to show that Pspace ⊆ IP, it suffices to show that tqbf 2 IP. Claim 5 tqbf 2 IP. In order prove claim 5, we will need to present a complete and sound interactive protocol that decides whether a given QBF is true. In the sum-check protocol we used an arithmetization of a 3-CNF boolean formula. Likewise, here we will need a way to arithmetize a QBF. 1.2 Arithmetization of a QBF We begin with a boolean formula φ, and we let n be the number of variables and m the number of clauses of φ.
    [Show full text]
  • Interactive Proofs for Quantum Computations
    Innovations in Computer Science 2010 Interactive Proofs For Quantum Computations Dorit Aharonov Michael Ben-Or Elad Eban School of Computer Science, The Hebrew University of Jerusalem, Israel [email protected] [email protected] [email protected] Abstract: The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [21]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions? To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [13] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one” (providing a partial answer to a challenge posted in [1]). We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to Ben-Or, Cr´epeau, Gottesman, Hassidim, and Smith [8], combined with quantum fault tolerance and secure multiparty quantum computation techniques.
    [Show full text]
  • Lecture 11 1 Non-Uniform Complexity
    Notes on Complexity Theory Last updated: October, 2011 Lecture 11 Jonathan Katz 1 Non-Uniform Complexity 1.1 Circuit Lower Bounds for a Language in §2 \ ¦2 We have seen that there exist \very hard" languages (i.e., languages that require circuits of size (1 ¡ ")2n=n). If we can show that there exists a language in NP that is even \moderately hard" (i.e., requires circuits of super-polynomial size) then we will have proved P 6= NP. (In some sense, it would be even nicer to show some concrete language in NP that requires circuits of super-polynomial size. But mere existence of such a language is enough.) c Here we show that for every c there is a language in §2 \ ¦2 that is not in size(n ). Note that this does not prove §2 \ ¦2 6⊆ P=poly since, for every c, the language we obtain is di®erent. (Indeed, using the time hierarchy theorem, we have that for every c there is a language in P that is not in time(nc).) What is particularly interesting here is that (1) we prove a non-uniform lower bound and (2) the proof is, in some sense, rather simple. c Theorem 1 For every c, there is a language in §4 \ ¦4 that is not in size(n ). Proof Fix some c. For each n, let Cn be the lexicographically ¯rst circuit on n inputs such c that (the function computed by) Cn cannot be computed by any circuit of size at most n . By the c+1 non-uniform hierarchy theorem (see [1]), there exists such a Cn of size at most n (for n large c enough).
    [Show full text]